Method for establishing a connection between a terminal and an operating mobile radio network, mobile radio network and terminal used in such a method

ABSTRACT

According to the inventive method, a message is transmitted from an operating mobile radio network (NW 2 ) to a terminal (MS 1   a ) that identifies coding techniques (UEA-NW) supported by the operating mobile radio network in order to establish a connection between the terminal (MS 1   a ) that supports a number (UEA-MS) of coding techniques and the operating mobile radio network (NW 2 ). The terminal selects, if available, a coding technique (UEA) that is supported by the terminal and the operating mobile radio network (NW 2 ), and the connection is operated using the coding technique selected by the terminal. If no coding technique is available that is supported by the terminal and the operating mobile radio network, the connection is operated uncoded only upon prior authorization.

[0001] The invention relates to a method for setting up a connectionbetween a terminal and a serving mobile radio network, particularly apacket-type mobile radio network such as, for example, a GPRS or UMTS-POnetwork, and a mobile radio network and a terminal which, in particular,are suitable for being used with such a method.

[0002] In unencrypted connections in mobile radio systems and, inparticular, in packet-type mobile radio systems such as, for example,GPRS or UMTS-PO, there is a possibility of so-called “hijacking” attacksin which an intruder infiltrates his own file or data packets intosomeone else's connection and thus becomes a parasite on radio resourceswhich are paid by regular users. Possibilities of such attacks exist,for example, when a regular user accesses data services such as, forexample, those of an Internet provider or announcement services whichfrequently charge high tariffs. An attacker who successfully infiltratessuch a connection can also access the services and possibly evencontinue the access when the regular user believes that the connectionis already terminated, and the regular user is then charged with the duefees for this. If the usage fees are not calculated from the duration ofa connection but from the number of files transferred, the attacker canmix his file in with a file of the user. A possibility which isextremely dangerous for a user is that of attacks on on-line paymenttraffic. An attacker could succeed in triggering disadvantageous paymentprocesses unnoticed duration of a connection but from the number offiles transferred, the attacker can mix his file in with a file of theuser. Users can be especially susceptible to attacks on on-line paymenttraffic. An attacker could succeed in triggering disadvantageous paymentprocesses unnoticed by a user. An effective countermeasure against suchmisuse is the use of encryption techniques.

[0003] As a protection, the familiar GSM network provides the terminaland the network with the possibility of setting up an encryptedconnection and selecting an encryption technique supported by both endsduring the setting up of the connection.

[0004] In the familiar GSM network, the terminal informs the basestation of the encryption techniques supported by the terminal. The basestation then selects one which is supported by the base station itselffor preparing an encrypted connection in an early phase of the settingup of the connection even before the authentication (authentication andkey agreement between terminal and base station). The designation ofthis encryption technique is transmitted back to the terminal and thetransmission begins by using the encryption mechanism thus specified.

[0005] However, this negotiation about an encryption technique is notsecure if active attacks on the interface are taken into consideration.The network is not able to check whether the information about theencryption techniques supported by the terminal which is received by ithas actually been sent by the terminal and the terminal is also not surethat the network has received the correct information.

[0006] This approach normally used in the GSM network is also applied inthe UMTS system. In this system, techniques for integrity protection areadditionally used which enable a receiver to recognize whether the datareceived by him actually come from an assumed transmitter or whetherthey have been corrupted by a third party.

[0007] When a connection is set up in the UMTS system, both theencryption and the integrity protection techniques supported by theterminal are statically stored in it and are transmitted to the servingmobile radio network in an early phase of the connection setup. Theserving mobile radio network selects an encryption technique and anintegrity protection technique which is also supported by itself, startsthe integrity protection and sends designations of the selectedtechniques to the terminal. Together with the selected encryption andintegrity protection technique, the network reports the techniquesreceived by it back to the terminal. When it receives this information,the terminal checks the completeness of the received message andcompares the encryption and integrity protection techniques transmittedto the network with those reported back from there in order to detect bythis means a possible corruption of the messages exchanged. When theterminal has acknowledged the reception, the encryption can begin. Ifthe network does not select an encryption technique but the“unencrypted” mode of operation, the terminal can reject the connection.

[0008] Such a procedure is not problematic as long as the terminal islocated within the area of its home network because it can be ensuredthat the terminal and the network have at least one common encryptionmode. Hence, cases where a connection intended by the user of the devicecannot be encrypted do not occur. It is, therefore, obvious and hasalready been proposed as a standard to use terminals which rejectunencrypted connections right away. If all users are equipped with suchterminals, it will scarcely be possible for an intruder to take controlof an existing connection and to infiltrate his own data into it in sucha manner that they can trigger intended reactions in the network.

[0009] A critical disadvantage of this approach is, however, that itraises problems in its application when the serving mobile radio networkis not also the home network of the terminal. This is because the use ofencryption techniques in mobile radio is not permissible in allcountries. Moreover, these techniques are partly subject to exportrestrictions so that they cannot be used in some countries where theywould possibly be permissible in accordance with the national lawbecause the export to these countries is subject to sanctions.

[0010] Thus, terminals which only allow encrypted connections could notbe used in a large number of countries and would, therefore, beunattractive for the users.

[0011] Although it is also conceivable that a terminal offers to theserving network not only the supported encryption techniques but alsothe option to operate a connection unencrypted during the connectionsetup. Although this would possibly extend the geographic area where thedevices can be used but it would be at the cost of security. This isbecause in this case the desired protection would no longer be effectivesince an attacker would have the possibility of pretending to theterminal that he is the base station of the serving network and instructthe terminal to leave the connection unencrypted.

SUMMARY OF THE INVENTION

[0012] The invention discloses a method for setting up connections and aterminal and mobile radio network which, on the one hand, provide a highdegree of security against “hijacking” attacks but, on the other hand,can also be used in countries in which encryption cannot be used andwhich, at the same time, are not complicated for the users to use.

[0013] In one embodiment, by shifting the responsibility for selectingthe encryption method to be used for a connection to the terminal inaccordance with the invention, an attacker can no longer influence thisselection and, in particular, he cannot produce an unencryptedconnection if this has not been expressly authorized. The authorizationcan be granted by the user of the terminal, for example in advance byoperating the terminal in an operating mode in which it also receivesunencrypted calls or in the individual case by operating the terminal inan operating mode in which, every time a connection to be set up cannotbe encrypted, the terminal requests the authorization for setting upthis connection from the user. The authorization can also be granted bythe home network of the terminal as will still be explained in greaterdetail later.

[0014] In another embodiment, if the serving mobile radio networkprovides an integrity protection, for example in the case of an UMTSnetwork, it is desirable, in order to protect against attacks, if theintegrity protection is activated before the message about theencryption techniques supported by the serving mobile radio network istransmitted to the terminal. The terminal can thus detect whether themessage has been corrupted or comes from an unauthorized source andignore it, if necessary.

[0015] In one aspect, in order to be able to set up an integrityprotection, it is desirable if the terminal reports integrity protectiontechniques supported by it to the serving mobile radio network and theserving mobile radio network selects one among the integrity protectiontechniques supported by itself and the terminal and transmits a messageabout the selected integrity protection technique to the terminal. Thismessage can be a part of the message to the terminal which includes theencryption techniques supported by the serving mobile radio network.

[0016] In a preferred embodiment of the method, an encryptionadministration information item which informs the terminal whetherunencrypted connections with the serving mobile radio network have beenauthorized by the home network is transmitted by the home network to theterminal for setting up a connection. As explained above, thisauthorization may be necessary, e.g. due to the situation of thenational law at the location of the serving mobile radio network orexport restrictions.

[0017] In one aspect, if the serving mobile radio network permits anencrypted connection, encryption should be used. In principle, however,it is not impossible that a connection has to be established unencryptedeven if the serving mobile radio network supports encryption, forreasons which are not within the scope of the present invention and havenot been mentioned in the description following.

[0018] In this embodiment of the method, the readiness of a terminal toaccept unencrypted connections is essentially subject to the control ofthe home network. This makes it possible to ensure the highest degree oftransmission security. Negligence by the user cannot lead to connectionsremaining unencrypted at locations where there is no technical or legalnecessity for this.

[0019] Transmitting the encryption administration information item fromthe home network of the terminal ensures that the content of thisinformation is relevant.

[0020] The encryption administration information item is transmitted ina simple manner via the serving network.

[0021] In one embodiment, during the transmission via the servingnetwork a corruption of the encryption administration information itemby the serving network or an encryption administration information itemfrom an attacker which has been corrupted by an attacker can berecognized. For this purpose, it is possible to provide a check of itstruth content at the mobile terminal. This check can be performedimplicitly by sending the encryption administration information itemwith its own encryption from the home network or by protecting theinformation item with an integrity mechanism. If this encryptionadministration information item is not comprehensible to the servingmobile radio network (encryption) or is protected by a messageauthentication code (integrity mechanism), the serving mobile radionetwork is not able to manipulate it but must transmit it transparentlyand a manipulated base station used for a hijacking attack is also notable to generate an encryption administration information item which isaccepted or accepted as genuine by the terminal.

[0022] In another embodiment, when the encryption administrationinformation item specifies the necessity or permissibility of anunencrypted connection, the user of the terminal is advantageously giventhe choice of whether the connection is to be set up unencrypted or theconnection attempt is to be aborted. This ensures that, in cases ofdoubt, the user is aware of the risk of unauthorized access to hisconnection and possibility of monitoring and can thus decide fromindividual case to individual case whether this risk is tolerable orwhether a more secure type of transmission should be selected.

[0023] In one aspect, to keep the terminal as simple to operate aspossible, it can also be provided that, if it is necessary, i.e. if theencryption administration information item supplied by the home networkspecifies that the serving network does not support encryption, anunencrypted connection is established without further check back. Inthis case, it is appropriate to inform the user that the connection isunencrypted by means of a display on the terminal of the user.

[0024] In another aspect, the terminal can be advantageously switchedbetween at least two of three operating modes which correspond to theabovementioned alternative procedures for the case of a lackingencryption capability.

[0025] In still another aspect, Less signaling complexity during thesetting-up of a connection can be achieved under these circumstances bythe terminal reporting integrity protection techniques supported by itto the serving mobile radio network, and the serving mobile radionetwork selecting one among the integrity protection techniquessupported by itself and the terminal and informing the terminal of this,before the encryption administration information item is transmitted orthe encryption technique is selected.

[0026] In another embodiment of the invention, there is a terminalincluding, for example, a control unit which selects one among theencryption techniques supported by the terminal and by the servingmobile radio network, and a serving mobile radio network contingent tofollow an instruction, as sent by the terminal, to use a selectedencryption technique.

BRIEF DESCRIPTION OF THE DRAWINGS

[0027] In the text which follows, exemplary embodiments are explained ingreater detail with reference to the drawings, in which:

[0028]FIG. 1 shows the structure of a mobile radio network in which aterminal is located, the home network of which differs from the mobileradio network.

[0029]FIG. 2 shows the sequence of a connection set-up between theterminal and the mobile radio network from FIG. 1.

[0030]FIG. 3 shows a modification of the signaling sequence shown inFIG. 2.

DETAILED DESCRIPTION OF THE INVENTION

[0031]FIG. 1 illustrates the structure of a mobile radio communicationssystem in which the present invention can be applied. The figure showstwo mobile radio networks NW1 and NW2, the designations of thecomponents of the first network in each case including the number 1 andthose of the second network including the number 2.

[0032] Each network NW1, NW2 comprises a full-coverage arrangement ofgeographic cells C1 a, C1 b, . . . , C2 a, C2 b, . . . , which in eachcase correspond to the range of the radio signal from base stations BS1a, BS1 b, . . . , BS2 a, BS2 b, . . . which communicate with mobileterminals staying in the respective cells. These networks NW1, NW2 canbe, e.g. UMTS mobile radio networks.

[0033] In each case, a number of base stations BS1 a, BS1 b, . . . andBS2 a, BS2 b, . . . are allocated to one base station controller BSC1,BSC2 and the base station controllers BSC1, BSC2 are in each caseconnected to a mobile switching center MSC1, MSC2 via intermediatestages, not shown. The mobile switching centers switch connectionsbetween mobile terminals when both are located in cells which are ineach case allocated to the same mobile switching center.

[0034] Each mobile terminal is allocated to a so-called home networkwhich is normally the mobile radio network of an operator with whom theuser of the terminal has concluded a usage contract. So-called roamingagreements between the network operators enable the users to operatetheir terminals also in other mobile radio networks and the homenetwork. A mobile radio network via which a mobile terminal is handlingits communication at a given time is called the serving network; it candiffer from the home network.

[0035] To explain the present invention, in particular, a mobileterminal MS1 a is considered which, as can be seen from its number 1,has the first mobile radio network NW1 as home network but is staying incell C2 a of the second mobile radio network NW2. Connections of thisterminal MS1 a to other terminals within the area of the serving secondnetwork NW2, as for example to the terminal MS2 a, are handled with thesecond network NW2 being involved alone, connections to terminals withinthe area of the home network NW1 such as, for example, to the terminalMS1 b or to terminals of a third mobile radio network or of a landlinenetwork such as, for example, the terminal UE1, are switched via alandline network area called CN for core network in this case.

[0036]FIG. 2 shows the sequence of the signaling between terminal MS1 aand a base station of the serving network NW2 and the home network NW1when a connection to the terminal MS1 a is to be set up. The reason forthis can be that the user of the terminal MS1 a wishes to establish aconnection or that a third party is attempting to reach him. As anexample, it is assumed that the networks NW1, NW2 are UMTS networks.

[0037] The terminal MS1 a begins to set up the connection to the servingmobile radio network NW2 with a message about the set UIA-MS of theintegrity protection techniques supported by it (stage a).

[0038] The serving mobile radio network NW2 interrogates the homenetwork NW1 of the terminal MS1 a for an encryption administrationinformation item which contains information, authorized by the operatorof the home network NW1, about whether and possibly which encryptiontechniques UEA are available in the area of the serving mobile radionetwork NW2 (stage a). In the case of UMTS, this encryptionadministration information item is a part of the so-called quintet, and,in particular it is a part of the so-called authentication token (AUTN).

[0039] This is followed by a stage b of authentication.

[0040] In an authentication, one party in each case sends to the otherone an authentication request which contains a number from which theother party calculates a response by means of a predetermined algorithmand a key known only to him. The requesting party compares the receivedresponse with an expected value: if the two match, he knows that theother party is really the person he pretends to be.

[0041] In UMTS, the network also sends an authentication signal (AUTN)which includes a sequence number SQN, a management field AMF and amessage authentication code MAC. This signal allows the network to beauthenticated by the terminal. The management field AMF includes theencryption administration information item supplied by the home networkNW1. This information item is integrity protected by the messageauthentication code so that the serving network is not able to changethis information item and, therefore, must transmit it transparently(stage b).

[0042] Since a wrong base station BS3 which does not belong to themobile radio network NW2 and which could possibly be used for hijackingattacks on the connection of the terminal MS1 a does not obtain such anencryption administration information item AMF from the home networkNW1, it is not easily able to present a forged authenticationinformation item AUTN to the terminal MS1 a in such a manner that itwill be accepted by the terminal MS1 a and the latter, therefore,initiates an unencrypted connection.

[0043] Instead of an integrity protection, an encryption of theencryption administration information item AMF which does not need to beknown to the serving mobile radio network NW2 could also be used by thehome network NW1.

[0044] However, such a protection is not mandatory. It is alsoconceivable that the protection against attacks is left in the hands ofthe user to a certain extent in that, whenever an encryptionadministration information item AMF received by the terminal MS1 astates that an unencrypted connection is necessary, a display on theterminal MS1 a draws the user's attention to this. If such a displayappears when the terminal MS1 a is located in a country in which thepossibility for encryption exists, it can be concluded from this thatthe terminal MS1 a is subject to an attack and that it is advisable toabort the connection set-up.

[0045] During the authentication procedure, the serving mobile radionetwork NW2 selects one (UIA) from the set UIA-MS and the set UIA-NW ofthe integrity protection techniques supported by it and activates it(stage c). A message about the selected integrity protection techniqueUIA is then transmitted to the terminal MS1 a under integrity protectionalready in existence (stage d). This message also includes thedesignations of the integrity protection techniques UIA-MS previouslyreported to the serving mobile radio network NW2 by the terminal MS1 aso that the terminal MS1 a can find out whether these designations havebeen correctly received by the serving mobile radio network NW2, and thedesignations of the encryption techniques UEA-NW supported by theserving mobile radio network NW2.

[0046] The terminal MS1 a then selects an encryption technique UEA whichis supported both by it and by the serving mobile radio network NW2(stage e) and reports it back to the network NW2 (stage f). From thistime on, the encrypted transmission can begin (stage g).

[0047] If the encryption administration information item AUTN is genuineand specifies that an unencrypted connection is permitted and theserving network NW2 does not provide any encryption techniques which arealso supported by the terminal MS, there are various possibilities ofcontinuing. The first and simplest one is to abort the connection set upunder these conditions. Naturally, this very effectively protects theuser against fraudulent attacks or against being monitored but, at thesame time, it also means that the terminal cannot be used in a countrywhere there is no possibility of encryption. For this reason, thispossibility is useful as a first one of at least two operating modes ofthe terminal and the second operating mode should allow an unencryptedconnection to be set up.

[0048] Since the first operating mode offers the greatest possiblemeasure of security to the user, however, it is appropriate that theterminal MS1 a assumes this operating mode when the user has notexpressly selected another one or that it automatically returns intothis mode when it has been switched off or when it receives anencryption administration information item AUTN which specifies thepossibility of an encryption, for instance because the terminal hasreturned from the region of a network without encryption capability intoa network with encryption capability.

[0049] In the second operating mode, the setting up of an unencryptedconnection is permitted. A first variant allows an unencryptedconnection to be set up without intermediate interruption of thesetting-up process. So that the user knows that he is using anunencrypted connection and is thus taking a certain security risk alsoin this operating mode, the terminal MS1 a is provided with a displaywhich advises the user of the operating mode set. This display can be,for example, a flashing of the keypad display panel, or of partsthereof, usually provided in mobile terminals, a luminous elementprovided especially for this purpose or also a ringing signal which canbe varied as a function of the operating mode set.

[0050] In a second variation of the second operating mode, in each case,a connection with a serving network without encryption capability is setup if this is expressly authorized by the user. This can be done, forexample, in that in the second operating mode, a key of the terminalwhich is actuated by the user to receive a call or to establish aconnection to an opposite party for his part in the first operatingmode, causes the display panel of the terminal to display a note thatthe user is about to establish an unsecure connection, and that theterminal requests a declaration of agreement by the user by againpressing the same key or, even more reliable, of another key, andestablishes the connection after such pressing of a key.

[0051] Using the method described above, the home network can ensure ina simple and effective manner that its users apply encryption reliablyin foreign networks accessible to them due to roaming agreements andoffering the possibility of encryption and, at the same time, can alsoprovide them with the freedom of using also the networks of thosecountries which do not permit encryption.

[0052] For the same reasons described above, for which it isadvantageous if it is the terminal and not the serving mobile radionetwork which decides about the encryption technique to be used, it isalso appropriate, according to an embodiment of the invention, if theterminal decides the type of integrity protection. The sequence ofsignaling in this method is shown in FIG. 3. The first stages of themethod up to and including the setting up of the integrity protectionselected by the serving mobile radio network NW2 is the same asdescribed above with reference to FIG. 2.

[0053] The message transmitted to the terminal MS1 a in stage d′, whichincludes the encryption techniques UIA-NW supported by the servingmobile radio network NW2, additionally also includes here designationsof the integrity protection techniques supported by the serving mobileradio network NW2. After having received this message, the terminal MS1a also selects, in addition to the encryption technique UEA to be used,an integrity protection technique UIA′ (stage e′) which is supported bythe network and the terminal and then sends an instruction to theserving mobile radio network NW2 to use both selections UEA, UIA′ in thefollowing procedure (stage f′).

[0054] This method also provides the terminal with control over theintegrity protection technique used during the subsequent communication(stage g) and it is thus possible always to use among the availabletechniques the one which promises the greatest possible measure ofsecurity from the point of view of the user. tolerable or whether a moresecure type of transmission should be selected.

[0055] To keep the terminal as simple to operate as possible, it canalso be provided that, if it is necessary, i.e. if the encryptionadministration information item supplied by the home network specifiesthat the serving network does not support encryption, an unencryptedconnection is established without further check back. In this case, itis appropriate to inform the user that the connection is unencrypted bymeans of a display on the terminal of the user.

[0056] The terminal can be advantageously switched between at least twoof three operating modes which correspond to the abovementionedalternative procedures for the case of a lacking encryption capability.

[0057] Less signaling complexity during the setting-up of a connectioncan be achieved under these circumstances by the terminal reportingintegrity protection techniques supported by it to the serving mobileradio network, and the serving mobile radio network selecting one amongthe integrity protection techniques supported by itself and the terminaland informing the terminal of this, before the encryption administrationinformation item is transmitted or the encryption technique is selected.

[0058] A terminal suitable for carrying out the method comprises, amongother things, a control unit which is capable of selecting one among theencryption techniques supported by the terminal and by the servingmobile radio network, and a serving mobile radio network must be capableof following an instruction, as sent by the terminal, to use a selectedencryption technique.

[0059] In the text which follows, exemplary embodiments are explained ingreater detail with reference to the drawing, in which:

[0060]FIG. 1 diagrammatically shows the structure of a mobile radionetwork in which a terminal is located, the home network of whichdiffers from the mobile radio network,

[0061]FIG. 2 shows the sequence of a connection set-up between theterminal and the mobile radio network from FIG. 1; and

[0062]FIG. 3 shows a modification of the signaling sequence shown inFIG. 2.

[0063]FIG. 1 illustrates the structure of a mobile radio communicationssystem in which the present invention can be applied. The figure showstwo mobile radio networks NW1 and NW2, the designations of thecomponents of the first network in each case containing the number 1 andthose of the second network containing the number 2.

[0064] Each network NW1, NW2 comprises a full-coverage arrangement ofgeographic cells C1 a, C1 b, . . . , C2 a, C2 b, . . . , which in eachcase correspond to the range of the radio signal from base stations BS1a, BS1 b, . . . , BS2 a, BS2 b, . . . which communicate with mobileterminals staying in the respective cells. These networks NW1, NW2 canbe, e.g. UMTS mobile radio networks.

[0065] In each case, a number of base stations BS1 a, BS1 b, . . . andBS2 a, BS2 b, . . . are allocated to one base station controller BSC1,BSC2 and the base station controllers BSC1, BSC2 are in each caseconnected to a mobile switching center MSC1, MSC2 via intermediatestages, not shown. The mobile switching centers switch connectionsbetween mobile terminals when both are located in cells which are ineach case allocated to the same mobile switching center.

[0066] Each mobile terminal is allocated to a so-called home networkwhich is normally the mobile radio network of an operator with whom theuser of the terminal has concluded a usage contract. So-called roamingagreements between the network operators enable the users to operatetheir terminals also in other mobile radio networks and the homenetwork. A mobile radio network via which a mobile terminal is handlingits communication at a given time is called the serving network; it candiffer from the home network.

[0067] To explain the present invention, in particular, a mobileterminal MS1 a is considered which, as can be seen from its number 1,has the first mobile radio network NW1 as home network but is staying incell C2 a of the second mobile radio network NW2. Connections of thisterminal MS1 a to other terminals within the area of the serving secondnetwork NW2, as for example to the terminal MS2 a, are handled with thesecond network NW2 being involved alone, connections to terminals withinthe area of the home network NW1 such as, for example, to the terminalMS1 b or to terminals of a third mobile radio network or of a landlinenetwork such as, for example, the terminal UE1, are switched via alandline network area called CN for core network in this case.

[0068]FIG. 2 shows the sequence of the signaling between terminal MS1 aand a base station of the serving network NW2 and the home network NW1when a connection to the terminal MS1 a is to be set up. The reason forthis can be that the user of the terminal MS1 a wishes to establish aconnection or that a third party is attempting to reach him. As anexample, it is assumed that the networks NW1, NW2 are UMTS networks.

[0069] The terminal MS1 a begins to set up the connection to the servingmobile radio network NW2 with a message about the set UIA-MS of theintegrity protection techniques supported by it (stage a).

[0070] The serving mobile radio network NW2 interrogates the homenetwork NW1 of the terminal MS1 a for an encryption administrationinformation item which contains information, authorized by the operatorof the home network NW1, about whether and possibly which encryptiontechniques UEA are available in the area of the serving mobile radionetwork NW2 (stage a). In the case of UMTS, this encryptionadministration information item is a part of the so-called quintet, and,in particular it is a part of the so-called authentication token (AUTN).

[0071] This is followed by a stage b of authentication.

[0072] In an authentication, one party in each case sends to the otherone an authentication request which contains a number from which theother party calculates a response by means of a predetermined algorithmand a key known only to him. The requesting party compares the receivedresponse with an expected value: if the two match, he knows that theother party is really the person he pretends to be.

[0073] In UMTS, the network also sends an authentication signal (AUTN)which contains a sequence number SQN, a management field AMF and amessage authentication code MAC. This signal allows the network to beauthenticated by the terminal. The management field AMF contains theencryption administration information item supplied by the home networkNW1. This information item is integrity protected by the messageauthentication code so that the serving network is not able to changethis information item and, therefore, must transmit it transparently(stage b).

1. A method for setting up a connection between a terminal (MS1 a) whichsupports a set (UEA-MS) of encryption techniques, and a serving mobileradio network (NW2), with the following steps: a) transmitting of amessage from the serving mobile radio network (NW2) to the terminal (MS1a), which designates the encryption techniques (UEA-NW) supported by theserving mobile radio network (NW2); b) if provided, selecting anencryption technique (UEA) which is supported by the terminal and by theserving mobile radio network, by the terminal (MS1 a); c) operating theconnection by using the encryption technique selected by the terminal;or b′) if no encryption technique supported by the terminal and by theserving mobile radio network is provided, unencrypted operating of theconnection only after authorization.
 2. The method as claimed in claim1, characterized in that the message in step a) is transmitted withintegrity protection.
 3. The method as claimed in claim 1 or 2,characterized in that the terminal (MS1 a) reports integrity protectiontechniques (UIA-MS) supported by it to the serving mobile radio network(NW2) and the serving mobile radio network (NW2) selects one among theintegrity protection techniques (UIA-NW; UIA-MS) supported by itself andby the terminal (MS1 a) and transmits a message about the selectedintegrity protection technique (UIA) to the terminal (MS1 a).
 4. Themethod as claimed in claim 3, characterized in that the message in stepa) contains the information about the integrity protection technique(UIA) selected by the serving mobile radio network (NW2).
 5. The methodas claimed in one of the preceding claims, characterized in that theserving mobile radio network (NW2) reports integrity protectiontechniques (UIA-NW) supported by it to the terminal (MS1 a) and theterminal (MS1 a) selects one (UIA′) among the integrity protectiontechniques supported by itself and the serving mobile radio network(NW2), the connection being operated under the integrity protectiontechnique selected by the terminal.
 6. The method as claimed in claim 5,characterized in that the message in step a) contains the report of theintegrity protection techniques (UIA-NW) supported by the serving mobileradio network (NW2).
 7. The method as claimed in one of the precedingclaims, characterized in that it also comprises the following step: d)transmitting an encryption administration information item (AMF) fromthe home network (NW1) to the terminal (MS1 a), which tells the terminal(MS1 a) whether unencrypted connections to the serving mobile radionetwork (NW2) are necessary, where in step c), the connection isoperated without encryption if the encryption administration informationitem (AMF) specifies that an unencrypted connection is necessary.
 8. Themethod as claimed in claim 7, characterized in that in the case wherethe encryption administration information item (AMF) specifies that anunencrypted connection is necessary, the truth of this statement ischecked at the terminal (MS1 a).
 9. The method as claimed in claim 7 or8, characterized in that in the case where the encryption administrationinformation item (AMF) specifies that an unencrypted connection isnecessary, the user of the terminal (MS1 a) is given the choice whetherthe connection is to be set up unencrypted or the connection attempt isto be aborted.
 10. The method as claimed in claim 7 or 8, characterizedin that in the case where the encryption administration information item(AMF) specifies that an unencrypted connection is necessary, theconnection is set up unencrypted.
 11. The method as claimed in claim 10,characterized in that a display of the terminal is operated in order toinform the user that the connection is unencrypted.
 12. The method asclaimed in one of claims 7 to 11, characterized that in step d), theencryption administration information item (AMF) is transmitted to theterminal (MS1 a) via the serving network (NW2) and under integrityprotection.
 13. The method as claimed in one of claims 7 to 12,characterized in that in step d), the encryption administrationinformation item (AMF) is transmitted to the terminal (MS1 a) via theserving network (NW2) and on an authenticated signaling channel.
 14. Aterminal, particularly for carrying out a method as claimed in one ofthe preceding claims, characterized in that it has a control unit forselecting an encryption technique (UEA) which is supported by theterminal (MS1 a) and by the serving mobile radio network (NW2).
 15. Theterminal as claimed in claim 14, characterized in that the control unitis also able to select an integrity protection technique which issupported by the terminal (MS1 a) and by the serving mobile radionetwork (NW2).
 16. The terminal as claimed in claim 14 or 15,characterized in that the control unit allows an unencrypted connectionbetween the terminal (MS1 a) and the serving mobile radio network (NW2)when an encryption administration information item (AMF) specifies thatthe serving mobile radio network (NW2) does not support an encryptiontechnique.
 17. The terminal as claimed in one of claims 14 to 16,characterized in that it exhibits an encryption display which indicatesto a user whether the serving mobile radio network (NW2) supports anencryption technique.
 18. The terminal as claimed in claim 17,characterized in that it is set up for receiving the encryptionadministration information item (AMF) during the setting-up of aconnection by the serving mobile radio network (NW2).
 19. The terminalas claimed in claim 17 or 18, characterized in that the control unit canbe switched by a user between at least two of the following operatingmodes: a first operating mode in which a connection is set up with aserving mobile radio network which does not support encryption and anencryption indication is operated in order to inform a user that theconnection is unencrypted; a second operating mode in which the attemptto set up a connection is aborted if the serving mobile radio networkdoes not support an encryption technique; a third operating mode inwhich, if the serving mobile radio network does not support anencryption technique, the attempt to set up a connection is interruptedand a user input is requested which determines whether the attempt is tobe aborted or to be continued.
 20. A mobile radio network, particularlyfor carrying out a method as claimed in one of the preceding claims,characterized in that it is able to obey an instruction by a terminal(MS1 a) which designates an encryption technique (UEA) to be used for aconnection between the terminal (MS1 a) and the mobile radio network(NW2).
 21. The mobile radio network as claimed in claim 20,characterized in that it is also able to obey an instruction by theterminal (MS1 a), which designates an integrity protection technique(UIA′) to be used for a connection between the terminal (MS1 a) and themobile radio network (NW2).
 22. The mobile radio network as claimed inone of claims 20 or 21, characterized in that it is able to forward amessage that a connection is to be set up between it and the terminal(MS1 a) to a home network (NW1) of the terminal (MS1 a) which differsfrom the mobile radio network (NW2) and to forward an encryptionadministration information item (AMF) from the home network (NW1) to theterminal (MS1 a), which contains information about the encryptiontechniques (UEA-NW) supported by the mobile radio network (NW2).